[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.131' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 531.339350] audit: type=1400 audit(1601625962.653:8): avc: denied { execmem } for pid=6486 comm="syz-executor953" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 531.381133] F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 531.382476] F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 531.389828] F2FS-fs (loop4): Can't find valid F2FS filesystem in 2th superblock [ 531.408113] F2FS-fs (loop1): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 531.408474] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 531.418328] F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 531.423986] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 531.431556] F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock [ 531.441671] F2FS-fs (loop4): invalid crc value [ 531.445676] F2FS-fs (loop1): Can't find valid F2FS filesystem in 2th superblock [ 531.854280] ================================================================== [ 531.861950] BUG: KASAN: use-after-free in f2fs_evict_inode+0x1058/0x1380 [ 531.868798] Read of size 4 at addr ffff8880a4281ad0 by task syz-executor953/6500 [ 531.876325] [ 531.877959] CPU: 0 PID: 6500 Comm: syz-executor953 Not tainted 4.19.149-syzkaller #0 [ 531.885834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 531.895249] Call Trace: [ 531.897231] kasan: CONFIG_KASAN_INLINE enabled [ 531.897925] dump_stack+0x22c/0x33e [ 531.897976] print_address_description.cold+0x56/0x25c [ 531.911486] kasan_report_error.cold+0x66/0xb9 [ 531.916249] ? f2fs_evict_inode+0x1058/0x1380 [ 531.916332] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 531.920761] __asan_report_load4_noabort+0x88/0x90 [ 531.920779] ? f2fs_evict_inode+0x1058/0x1380 [ 531.920794] f2fs_evict_inode+0x1058/0x1380 [ 531.920813] ? f2fs_write_inode+0x600/0x600 [ 531.920854] evict+0x2ed/0x780 [ 531.920873] iput+0x511/0x890 [ 531.932217] kasan: CONFIG_KASAN_INLINE enabled [ 531.933198] dentry_unlink_inode+0x265/0x320 [ 531.933216] __dentry_kill+0x3c0/0x640 [ 531.940014] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 531.942010] dentry_kill+0xc4/0x510 [ 531.942028] shrink_dentry_list+0x2eb/0x740 [ 531.942051] shrink_dcache_sb+0x144/0x220 [ 531.942067] ? shrink_dentry_list+0x740/0x740 [ 531.942158] ? mark_held_locks+0xa6/0xf0 [ 531.942176] ? f2fs_fill_super+0x2d5e/0x7920 [ 531.947599] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 531.949678] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 531.952762] CPU: 1 PID: 6496 Comm: syz-executor953 Not tainted 4.19.149-syzkaller #0 [ 531.957334] f2fs_fill_super+0x2d89/0x7920 [ 531.961712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 531.965625] ? snprintf+0xbb/0xf0 [ 531.972930] RIP: 0010:f2fs_evict_inode+0xedf/0x1380 [ 531.976554] ? f2fs_commit_super+0x400/0x400 [ 531.980851] Code: c1 ea 03 80 3c 02 00 0f 85 dc 03 00 00 49 8b 9c 24 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 ab 03 00 00 48 8b 7b 30 4c 89 f2 4c 89 f6 e8 68 [ 531.985053] ? __mutex_add_waiter+0x160/0x160 [ 531.989463] RSP: 0018:ffff8880a416f768 EFLAGS: 00010206 [ 531.993568] ? set_blocksize+0x163/0x3f0 [ 531.997904] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83321989 [ 532.004633] mount_bdev+0x2fc/0x3b0 [ 532.009144] RDX: 0000000000000006 RSI: ffffffff8332237f RDI: 0000000000000030 [ 532.017016] ? f2fs_commit_super+0x400/0x400 [ 532.021222] RBP: ffff88807fd8f400 R08: 0000000000000000 R09: 0000000000000000 [ 532.030565] mount_fs+0xa3/0x318 [ 532.033985] R10: 0000000000000007 R11: 0000000000000001 R12: ffff888084a48dc0 [ 532.039002] vfs_kern_mount.part.0+0x68/0x470 [ 532.043383] R13: ffff88807fd8f7d0 R14: 0000000000000003 R15: ffff8880a3e2e9b8 [ 532.062274] do_mount+0x51c/0x2f10 [ 532.066746] FS: 00007fac44338700(0000) GS:ffff8880ae300000(0000) knlGS:0000000000000000 [ 532.072090] ? do_raw_spin_unlock+0x171/0x240 [ 532.076139] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 532.083449] ? check_preemption_disabled+0x41/0x2b0 [ 532.087013] CR2: 000055ea2e9fd658 CR3: 00000000a386e000 CR4: 00000000001406e0 [ 532.094269] ? copy_mount_string+0x40/0x40 [ 532.098648] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 532.105947] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 532.109247] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 532.116521] ? copy_mount_options+0x261/0x370 [ 532.120991] Call Trace: [ 532.128250] ksys_mount+0xcf/0x130 [ 532.131791] ? f2fs_write_inode+0x600/0x600 [ 532.139991] __x64_sys_mount+0xba/0x150 [ 532.144487] evict+0x2ed/0x780 [ 532.150448] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 532.155438] iput+0x511/0x890 [ 532.162758] do_syscall_64+0xf9/0x670 [ 532.166903] dentry_unlink_inode+0x265/0x320 [ 532.174157] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 532.178979] __dentry_kill+0x3c0/0x640 [ 532.186232] RIP: 0033:0x44d83a [ 532.190713] dentry_kill+0xc4/0x510 [ 532.193360] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a a0 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 532.196880] shrink_dentry_list+0x2eb/0x740 [ 532.201173] RSP: 002b:00007fac44337bf8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 532.205136] shrink_dcache_sb+0x144/0x220 [ 532.208299] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000044d83a [ 532.212863] ? shrink_dentry_list+0x740/0x740 [ 532.212881] ? mark_held_locks+0xa6/0xf0 [ 532.215963] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fac44337c10 [ 532.219754] ? f2fs_fill_super+0x2d5e/0x7920 [ 532.224145] RBP: 00007fac44337c10 R08: 00007fac44337c50 R09: 0000000000000000 [ 532.229327] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 532.233188] R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d [ 532.236401] f2fs_fill_super+0x2d89/0x7920 [ 532.240000] R13: 00007fac44337c50 R14: 00007fac443386d0 R15: 0000000000000003 [ 532.258912] ? snprintf+0xbb/0xf0 [ 532.263195] [ 532.270898] ? f2fs_commit_super+0x400/0x400 [ 532.275074] Allocated by task 6500: [ 532.282297] ? __mutex_add_waiter+0x160/0x160 [ 532.286768] kmem_cache_alloc_trace+0x12f/0x4b0 [ 532.290804] ? set_blocksize+0x163/0x3f0 [ 532.298058] f2fs_fill_super+0x145/0x7920 [ 532.302442] mount_bdev+0x2fc/0x3b0 [ 532.309690] mount_bdev+0x2fc/0x3b0 [ 532.314251] ? f2fs_commit_super+0x400/0x400 [ 532.321501] mount_fs+0xa3/0x318 [ 532.325716] mount_fs+0xa3/0x318 [ 532.332974] vfs_kern_mount.part.0+0x68/0x470 [ 532.336403] vfs_kern_mount.part.0+0x68/0x470 [ 532.338007] do_mount+0x51c/0x2f10 [ 532.342410] do_mount+0x51c/0x2f10 [ 532.346031] ksys_mount+0xcf/0x130 [ 532.350506] ? do_raw_spin_unlock+0x171/0x240 [ 532.355151] __x64_sys_mount+0xba/0x150 [ 532.359189] ? check_preemption_disabled+0x41/0x2b0 [ 532.363332] do_syscall_64+0xf9/0x670 [ 532.366933] ? copy_mount_string+0x40/0x40 [ 532.370541] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 532.374930] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 532.378278] [ 532.381633] ? copy_mount_options+0x261/0x370 [ 532.386098] Freed by task 6500: [ 532.390576] ksys_mount+0xcf/0x130 [ 532.394099] kfree+0xcc/0x250 [ 532.397617] __x64_sys_mount+0xba/0x150 [ 532.401137] f2fs_fill_super+0x2d5e/0x7920 [ 532.405612] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 532.409563] mount_bdev+0x2fc/0x3b0 [ 532.414562] do_syscall_64+0xf9/0x670 [ 532.418345] mount_fs+0xa3/0x318 [ 532.422562] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 532.427742] vfs_kern_mount.part.0+0x68/0x470 [ 532.432559] RIP: 0033:0x44d83a [ 532.434425] do_mount+0x51c/0x2f10 [ 532.438898] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a a0 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 532.442153] ksys_mount+0xcf/0x130 [ 532.445665] RSP: 002b:00007fac44337bf8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 532.448755] __x64_sys_mount+0xba/0x150 [ 532.452722] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000044d83a [ 532.456941] do_syscall_64+0xf9/0x670 [ 532.461492] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fac44337c10 [ 532.465105] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 532.468874] RBP: 00007fac44337c10 R08: 00007fac44337c50 R09: 0000000000000000 [ 532.472213] [ 532.477394] R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d [ 532.481874] The buggy address belongs to the object at ffff8880a4280d80 [ 532.481874] which belongs to the cache kmalloc-8192 of size 8192 [ 532.485041] R13: 00007fac44337c50 R14: 00007fac443386d0 R15: 0000000000000003 [ 532.488564] The buggy address is located 3408 bytes inside of [ 532.488564] 8192-byte region [ffff8880a4280d80, ffff8880a4282d80) [ 532.507448] Modules linked in: [ 532.510967] The buggy address belongs to the page: [ 532.522270] general protection fault: 0000 [#2] PREEMPT SMP KASAN [ 532.522696] page:ffffea000290a000 count:1 mapcount:0 mapping:ffff88812c3f5080 index:0x0 compound_mapcount: 0 [ 532.529956] CPU: 1 PID: 6501 Comm: syz-executor953 Tainted: G D 4.19.149-syzkaller #0 [ 532.533734] flags: 0xfffe0000008100(slab|head) [ 532.540980] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 532.546164] raw: 00fffe0000008100 ffffea0002127308 ffffea0002129208 ffff88812c3f5080 [ 532.553443] RIP: 0010:f2fs_evict_inode+0xedf/0x1380 [ 532.555039] raw: 0000000000000000 ffff8880a4280d80 0000000100000001 0000000000000000 [ 532.562300] Code: c1 ea 03 80 3c 02 00 0f 85 dc 03 00 00 49 8b 9c 24 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 ab 03 00 00 48 8b 7b 30 4c 89 f2 4c 89 f6 e8 68 [ 532.575113] page dumped because: kasan: bad access detected [ 532.582391] RSP: 0018:ffff888084ac7768 EFLAGS: 00010206 [ 532.594425] [ 532.597789] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83321989 [ 532.602686] Memory state around the buggy address: [ 532.608907] RDX: 0000000000000006 RSI: ffffffff8332237f RDI: 0000000000000030 [ 532.618871] ffff8880a4281980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 532.628129] RBP: ffff88807fd9a480 R08: 0000000000000000 R09: 0000000000000000 [ 532.634254] ffff8880a4281a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 532.643603] R10: 0000000000000007 R11: 0000000000000001 R12: ffff8880a4238e00 [ 532.651470] >ffff8880a4281a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 532.656479] R13: ffff88807fd9a850 R14: 0000000000000003 R15: ffff8880a4666c38 [ 532.664362] ^ [ 532.683264] FS: 00007fac44338700(0000) GS:ffff8880ae300000(0000) knlGS:0000000000000000 [ 532.689049] ffff8880a4281b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 532.694404] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 532.696008] ffff8880a4281b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 532.703264] CR2: 000055ea2e9fd658 CR3: 00000000a7fa8000 CR4: 00000000001406e0 [ 532.708170] ================================================================== [ 532.715425] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 532.801742] Kernel panic - not syncing: panic_on_warn set ... [ 532.801742] [ 532.808841] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 532.830687] Call Trace: [ 532.833279] ? f2fs_write_inode+0x600/0x600 [ 532.837617] evict+0x2ed/0x780 [ 532.840804] iput+0x511/0x890 [ 532.843906] dentry_unlink_inode+0x265/0x320 [ 532.848312] __dentry_kill+0x3c0/0x640 [ 532.852200] dentry_kill+0xc4/0x510 [ 532.855827] shrink_dentry_list+0x2eb/0x740 [ 532.860150] shrink_dcache_sb+0x144/0x220 [ 532.864305] ? shrink_dentry_list+0x740/0x740 [ 532.868796] ? mark_held_locks+0xa6/0xf0 [ 532.872855] ? f2fs_fill_super+0x2d5e/0x7920 [ 532.877261] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 532.881836] f2fs_fill_super+0x2d89/0x7920 [ 532.886080] ? snprintf+0xbb/0xf0 [ 532.889536] ? f2fs_commit_super+0x400/0x400 [ 532.893953] ? __mutex_add_waiter+0x160/0x160 [ 532.898443] ? set_blocksize+0x163/0x3f0 [ 532.902503] mount_bdev+0x2fc/0x3b0 [ 532.906123] ? f2fs_commit_super+0x400/0x400 [ 532.910528] mount_fs+0xa3/0x318 [ 532.913894] vfs_kern_mount.part.0+0x68/0x470 [ 532.918383] do_mount+0x51c/0x2f10 [ 532.921916] ? do_raw_spin_unlock+0x171/0x240 [ 532.926416] ? check_preemption_disabled+0x41/0x2b0 [ 532.931427] ? copy_mount_string+0x40/0x40 [ 532.935658] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 532.940494] ? copy_mount_options+0x261/0x370 [ 532.945170] ksys_mount+0xcf/0x130 [ 532.948704] __x64_sys_mount+0xba/0x150 [ 532.952672] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 532.957246] do_syscall_64+0xf9/0x670 [ 532.961044] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 532.966224] RIP: 0033:0x44d83a [ 532.969425] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a a0 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 532.988349] RSP: 002b:00007fac44337bf8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 532.996049] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000044d83a [ 533.003311] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fac44337c10 [ 533.010571] RBP: 00007fac44337c10 R08: 00007fac44337c50 R09: 0000000000000000 [ 533.018441] R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d [ 533.025703] R13: 00007fac44337c50 R14: 00007fac443386d0 R15: 0000000000000003 [ 533.032969] Modules linked in: [ 533.037270] Kernel Offset: disabled [ 533.040893] Rebooting in 86400 seconds..